Re: [Tsv-art] [Last-Call] [DNSOP] Tsvart telechat review of draft-ietf-dnsop-dns-error-reporting-07
Paul Wouters <paul@nohats.ca> Wed, 14 February 2024 22:38 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81D37C14CE4B; Wed, 14 Feb 2024 14:38:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V9OZWrJofvMK; Wed, 14 Feb 2024 14:38:26 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C989C14CE42; Wed, 14 Feb 2024 14:38:25 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4TZtQ73vfXz1jv; Wed, 14 Feb 2024 23:38:23 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1707950303; bh=DjxHARwo684l7W3fXGzJ72f5RmPcwklCwgvA6XDGPH4=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=guia9slEyWlGMzw11ZvsugMJoAMLuQDpNJB3BX915bfA4Q5cjaW+iC+6kNeYML7C6 U0b9IoLLVYgu+MJa9q+QJAphiKm0FWStcfL+CdwZRldc/cNyLKLM4BlQBFGPC22ioj dtKU28XrMR6DhrpQZyQrCVlkH1XGoZmde1kTtR4Y=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id w371JtnT1cM4; Wed, 14 Feb 2024 23:38:22 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 14 Feb 2024 23:38:22 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id CC2E411237C0; Wed, 14 Feb 2024 11:03:28 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id C54FE11237BF; Wed, 14 Feb 2024 11:03:28 -0500 (EST)
Date: Wed, 14 Feb 2024 11:03:28 -0500
From: Paul Wouters <paul@nohats.ca>
To: Roy Arends <roy@dnss.ec>
cc: Gorry Fairhurst <gorry@erg.abdn.ac.uk>, tsv-art@ietf.org, dnsop <dnsop@ietf.org>, draft-ietf-dnsop-dns-error-reporting.all@ietf.org, last-call@ietf.org
In-Reply-To: <5F8E9601-0839-4DAA-A524-A322133187B1@dnss.ec>
Message-ID: <c64fea26-8863-013a-4574-68ca9de912ba@nohats.ca>
References: <170195243214.35471.15139593366465856989@ietfa.amsl.com> <73358628-DFCD-4048-A3D7-FFA2BCF3573D@dnss.ec> <8558549e-6967-1f5b-df6b-23c2785d2ba6@nohats.ca> <5F8E9601-0839-4DAA-A524-A322133187B1@dnss.ec>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/29_KqaLGJvuzSk35o7QJW4Eg1JU>
Subject: Re: [Tsv-art] [Last-Call] [DNSOP] Tsvart telechat review of draft-ietf-dnsop-dns-error-reporting-07
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Feb 2024 22:38:31 -0000
On Wed, 14 Feb 2024, Roy Arends wrote: >>> It is recommended that the client (the resolver) sets the DNS COOKIE. The benefit of using cookies is for the client. It is to make sure that the response is genuine. >> >> Does it? Not for an on-path attacker that sees the COOKIE in the clear. >> So what attack does this really counter? > > Ah, no, apologies, it doesn’t. (I’ll blame this on my DNSSEC muscle memory). I should know better. I’ll try again: > > There is text in the document that specifies what the monitoring agent should do if cookies are not used: > > Section 6.3: > > The monitoring agent SHOULD respond to queries received over UDP that > have no DNS COOKIE set with a response that has the truncation bit > (TC bit) set to challenge the resolver to re-query over TCP. So it is not the benefit of the client/resolver, but the benefit of the monitoring agent getting some more confidence the report is not spoofed. Maybe make that more explicit in the text? >> This sounds more like an attempt for a mechanism for the monitoring agent >> to determine that the incoming report is not send from a spoofed address, >> but it wouldn't work like that. Setting the TC would work, provided the >> client comes back. Or if the monitoring agent would demand a COOKIE >> before answering (even if the answer is not the actual data the resolver >> wants anyway). If the monitoring agent requests a COOKIE, it would force >> the resolver to resend with the COOKIE, proving it is not just a spoofed >> packet. But that would always result in double the load to the >> monitoring agent. > > A cookie may be set due to an earlier transaction, no? Which earlier transaction? If "er.otherdomain.example" is used for receiving only failure reports? I guess NS queries for "otherdomain.example" could trigger those. I am not sure what the current practise of DNS COOKIES is. Do responders only request it when they see their answer would be bigger than the question, or will they always ask for it? Can it be enabled per-domain, so you enable it "always" only for the error reporting zone? I can also see the case where resolvers might not want to invest in TCP connections for error reporting, and might decide to not report errors at all in such cases. So I am not sure the DNS COOKIES and/or TC strategy is the right one, unless it would only trigger after receiving repetitive reports. But if the reports are repetitive, no need to tell clients to come back with TCP, since you presumable already know the error they are wanting to report. I feel I am missing some guidance here. Perhaps this can be further explored in an Operational Considerations section? Paul
- [Tsv-art] Tsvart telechat review of draft-ietf-dn… Gorry Fairhurst via Datatracker
- Re: [Tsv-art] [DNSOP] Tsvart telechat review of d… Roy Arends
- Re: [Tsv-art] [Last-Call] [DNSOP] Tsvart telechat… Paul Wouters
- Re: [Tsv-art] [Last-Call] [DNSOP] Tsvart telechat… Roy Arends
- Re: [Tsv-art] [Last-Call] [DNSOP] Tsvart telechat… Paul Wouters
- Re: [Tsv-art] [DNSOP] [Last-Call] Tsvart telechat… Mark Andrews
- Re: [Tsv-art] [DNSOP] [Last-Call] Tsvart telechat… Mark Andrews